FriendFinder Data Breach Exposes 400 million+ Accounts

FriendFinder Networks is a company in the adult entertainment, social networking, and online dating space. Several databases from FriendFinder Networks web sites with more than 412 million accounts, including usernames, e-mails, and passwords, have been breached and leaked.

November reports of this data breach on The Verge, LeakedSource and TechCrunch, to name a few, describe it as of one of the largest security breaches of 2016, and possibly the largest breach to date, surpassing the breach of approximately 360 million Myspace usernames, passwords and e-mail addresses reported earlier this year.

This would be the second time FriendFinder has been breached in two years. Unlike the 2015 data breach of FriendFinder that allegedly included sexual preference data, this most recent breach is only reported to include account usernames, e-mails, passwords, IP addresses and web browser information.

According to some reports, FriendFinder was breached using a Local File Inclusion exploit. Another reported problem is that FriendFinder allegedly stored user data (1) in a plain visible format or (2) by using the insecure SHA-1 (Secure Hash Algorithm 1). One web site, LeakedSource, created a table of the most commonly used passwords from the 2016 FriendFinder’s breach (top ten shown below):

Top Ten Most Commonly Used Passwords

And yes, we hope none of our readers use any of the passwords on this list.

A dynamic infographic titled “World’s Biggest Data Breaches” of selected losses greater than 30,000 records provides a useful way to understand the scale of this problem across different types of organizations. (Note how the bubbles in the infographic representing the size of the data breaches keep getting larger each year.)

The increasing size and scope of user data breaches should serve as a reminder of the importance of continual evaluation and action: periodic third-party/outside audits of company web sites, web site development practices, and user account security practices, are all essential to mitigate the risk from large-scale data breaches.